Don’t Rely on Backups Alone to Recover From a Ransomware Attack
Don’t Rely on Backups Alone to Recover From a Ransomware Attack
Despite the panic it caused, The Wannacry ransomware was a financial flop. The reason was it primarily targeted enterprises with enterprise-grade backup. This meant most targets could simply restore their system and not pay the ransom. But in 2021 ransomware attacks have become more frequent and sophisticated. Relying on backup alone to save your business from a ransomware attack won’t work. Here’s what you need to do instead.
What is Ransomware?
Ransomware, a type of malware, is software that will encrypt files and demands a ransom payment to release them. The perpetrator of the ransomware attack in exchange for payments, which for a mid-sized company average $170,404, will provide a decryption key when the ransom is paid. Inputting this decryption key will then unlock the encrypted files.
The challenge associated with ransomware is that it is harder for law enforcement to pursue those that create and spread ransomware. Payments are usually made using the Tor browser and paid with cryptocurrency, meaning they are in most cases untraceable without serious pursuit from units like the FBI. In most cases, law enforcement will not help organizations unless they represent national security interests.
Why Backup Just Isn’t Good Enough for Ransomware Protection
Backup is only a copy of either your files or of your data from a certain period of time. For clouds and servers, backups often take the form of system images saved in case a restore needs to happen. You might know them as snapshots or restore points. This issue of exactly copying a system from an earlier point is why they aren’t to be trusted for recovering from a serious ransomware attack. If the ransomware existed on earlier backups, the ransomware will still exist on the system. Or, if important data has not been backed up at the time the encryption activates, your business may still need to pay the ransom to recover the data.
Another primary issue is backups (even at the enterprise level) will likely not cover all attack surfaces. Desktops, employee devices, internal servers, etc can all be sources of ransomware. Unless all those systems have been completely wiped and restored the ransomware will still be a risk. And it’s a MAJOR risk. For example, 65% of businesses allow company applications to be managed from personal employee devices. And the advent of bring your own device policies (BYD) and remote work has created a large attack surface relatively out of control for security personnel. If ransomware attacks, you might potentially need to wipe all these devices, and even then, they are likely to be attacked again. After all, 80% of those that paid ransom were attacked again shortly after. Add human error and the mix like poor password management, clicking on phishing emails, etc, it’s likely your organization will find itself in a position where even the backups are infected.
Backups Can be Trouble for Healthcare, Insurance, Law, Logistics, and Co
Relying on backups for ransomware protection and ransomware recovery plan presents big issues for healthcare, insurance, law, logistics, and other key industries that handle the most sensitive data. Data must constantly be fresh, downtime isn’t tolerated, and there are extra-legal compliance issues.
Let’s take the most valuable industry for a ransomware attack - Healthcare. 88% of ransomware attacks in 2016 targetted healthcare. This is because healthcare includes rich insurance companies, hospitals, pharmaceutical companies, etc that must all comply with regulations like HIPAA. If medical data is compromised there are serious financial penalties. HIPAA violations start at $50,000 if deemed criminal. And an attack can lead to several violations. Individuals involved with the data might also face civil charges and be fined thousands for personal negligence. Lawsuits will also be brought forward by patients, clients, and business partners, and there will be a massive, long-term breach of trust between the target, its partners, and clients.
All the above industries will have similar repercussions should a ransomware attack happen. To put just how valuable this data is into perspective, the biggest ransom payment ever was by an insurance company for $40 million dollars!
Ransomware creates a unique challenge for these industries because the data must be fresh aka they can’t just lose fresh patient data, or law documents, or logistics tracking info. Downtime, especially in healthcare and logistics, could be fatal for the business and the average recovery time for a ransomware attack is 15 days. imagine a logistics company going down for 15 days for ransomware recovery. The ransomware attack would likely kill the business.
What To Do Instead of Rely on Backups
Ransomware attacks don’t just happen out of thin air. There must be an exploit into a businesses’ infrastructure that allows a serious attack to happen. The major ways ransomware invades a business are through phishing emails, RDP attacks, downloading files from unapproved sources, and software vulnerabilities. Here’s how your business can defend against a ransomware attack.
Login Security Enforcement
One of the easiest ways for ransomware to get onto systems is by guessing passwords. In fact, most infiltration via RDP happens because a password was guessed.
Passwords should be a minimum of 12 characters long, be unique, and contain letters, numbers, and symbols. Each password for every system should also be unique. The best way to achieve this without losing critical passwords is using a password manager with enterprise functions like Bitwarden, LastPass, OnePassword, etc. These tools will save and autofill complex passwords so your team builds a habit of consistently using unique, strong passwords. Also, with enterprise plans, you can manage employee password access and share system access without sharing the password itself. Password changes should be enforced by admins often, typically once a quarter.
Login security enforcement should also consist of implementing two-factor authentication (2FA) as much as possible. This means that even if a password is compromised, a trusted employee will still need to provide a one-time code to access a system. This code will be generated in a separate application from the password manager. Most updated systems allow 2FA. Popular 2FA apps include Authy by Twilio, Microsoft Authenticator, Google Authenticator, Last Pass Authenticator, and more. Again, these can be managed by a company admin to provide and deny access to employees.
If you are in healthcare or another industry that requires employees to log behavior when interacting with data you will need to implement logs across your systems. Our virtualized data center system for our Virtual Private Clouds shows all activities logged on servers. Our logs depict the user, time, and activity whenever acting in the cloud OS. For more tips on how to best implement logs across your stack please contact a cybersecurity professional.
Backups
This article is about why you shouldn’t rely on backups for ransomware protection, but having backups can be good as a last resort. Have backups be taken to match the frequency of data changes on your systems. For example, a central server may need real-time backup with at least a month’s retention while an employee computer is maybe able to manage with nightly backup and 1-week retention. You might also speak to an industry consultant if you are in an industry that is heavily regulated like healthcare or finance. HIPAA for example requires backups to date back 7 years.
Ultimately backups depend on the value of your business’ data and its risk tolerance. Backup should be a part of your strategy as it can potentially thwart a ransomware attack depending on the ransomware worm, date infected, and encryption level.
Phishing Email Training
Phishing emails are the most common way that ransomware attacks spread. All it takes to spread ransomware across your company is an employee logging into a deceptive page they were sent or downloading a malicious file. Part of your ransomware protection plan needs to include training all company personnel on how to identify phishing emails.
Stay Ontop of System Patches
Windows and other operating systems frequently come out with security patches. You should update systems as soon as these updates become available because they often stamp out zero-day vulnerabilities that are actively, or will soon be taken advantage of by ransomware. Patches will typically state what the vulnerability is that is being patched.
In rare cases, updates can open up vulnerabilities so it’s important your systems admin stays up to date on the latest patches. Bad updates are typically reported on very quickly and subsequently pulled by software or hardware providers.
Certify All Media
Ransomware can infect a system via a bootable image or other form of media where the infection can lie dormant until activation. Examples of this happening can be placing infected USBs in public places or employees downloading media from untrustworthy sources.
Your business needs to set a policy where all media is labeled including both software downloads and physical media. All storage should also be labeled. Those in charge of systems and security need to also create an internally accessible database to access storage media if one is not already set up. This creates a safe place where employees can access any media. The database can also be set up with granular permissions to make sure only certain individuals or departments can access it.
Consider Work From Home and BYD Policy
Businesses are transitioning to Bring your own device (BYD) and work from home to save money and increase efficiency. Personal devices represent an easy front for ransomware to infiltrate the business. 65% of companies allow company applications to be accessed from unsecured personal devices). The rise of work from home also creates an attack vector because now leadership has less oversight on these personal devices. this means that the company is exponentially more exposed to a potential ransomware attack.
Your business needs to consider its work from home policy and BYD policy as potential attack vectors. And it should consider if these policies are right for the security of the company.
Companies are attacking work from home and BYD security issues via open desk policy, enhanced employee monitoring, etc. One of the easiest solutions would be to simply return to employees using company-issued devices. This allows IT to add security parameters, features like active directory log in, and more.
You MUST MUST MUST Have a Last Line of Defense Against Ransomware
If you are in a highly targeted industry like healthcare, insurance, law, logistics, or finance, chances are a ransomware attack isn’t a question of if, it’s when.
Zebra Ransomware Stopper is a unique solution for the Windows operating system that provides a last line of defense for ALREADY INFECTED SYSTEMS. It draws out the ransomware, captures it, and stops the encryption process. It notifies you whenever an encryption process has started so you can take immediate action.
Zebra Ransomware Stopper is different than most security solutions because it is signatureless. Being signatureless allows the software to detect ransomware that is not part of a signed package i.e. still unknown to most cybersecurity software. Given the increased frequency at which new ransomware is produced, not all will have signatures by the time they infect your system. By using Zebra Ransomware Stopper you can make sure your system is defended, even if the ransomware has breached past all other security you’ve put in place.
Learn more about Zebra Ransomware Stopper
Conclusion
Ransomware is a scary reality for virtually all businesses these days. The idea that your files could become encrypted without your permission, blocking you from the data you need to operate your business is scary. But ransomware at this point does not typically infect hardware, so it’s limited to software. This means there are many means of both preventing a ransomware attack and establishing ransomware prevention. Use the tips on this list to make sure your business remains protected.
Oh, and if you are considering cyber insurance like many businesses these days, protecting yourself using policies like these will either lower your premiums or be mandated by the insurance company.